On Thursday, March 31, 2016 10:25:52 AM Yuri Schaeffer wrote: > Hi Fredrik, > > > When I was happy with it, I got my DS records published in the .net zone > > and after that I wanted to move the zone to policy default. Turns out, > > keys are secretly associated with policys for some reason, so opendnssec > > wanted to generate a new KSK but failed since the YubikeyNEO4PIV > > repository doesn't support key generation. I did not want to generate > > new KSKs. > > As far as I know OpenDNSSEC 1.x does not support this kind of operation. > Keys are linked to a policy since the policy dictates their parameters > and more important lifetime and TTL's.
Thank you for the quick response. It would have been easier to understand that if "ods-ksmutil key import" took a --policy rather than --zone. Does <ShareKeys/> span policys? How come ShareKeys appears to be a setting for all keys of all types, and not a setting per repository or key-type? /Fredrik
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
